SET INTERNATIONAL CORP (hereafter referred to the “Company” )’s most important assets (hereafter referred to as “information assets”) are information (inclusive of personal information and specific personal information) and information system, and we need to utilize the information assets more effectively while taking intensive security measures. We shall never allow outbreaks such as leakage, loss, accidents, etc. to happen. The company continues to develop and create new value with well-honed sensibility and ingenuity while maintaining the long-lasting relationship of trust with our clients. It is also necessary for us to ensure security as we adopt a new way of working. ISMS (Information Security Management System) is essential to properly manage the information assets that are distributed and shared within the Company. Therefore, the Company shall work together to promote the ISMS under the policy below.

1. Definition of information security

“Information security” is to protect information assets from threats, and it’s defined as securing and maintaining the “confidentiality”, “Integrity”, and “availability” of the information.

2. Objectives of information security

By protecting the information entrusted by our customers and information assets held by the company managing the risk, we are endowed with the costumer’s trust. For this reason information security is key.

3. Target of information security

Set the effectiveness of the risk management measures and improvement of employees’ recognition towards the information security as the target, we shall realize the effective ISMS through PDCA to achieve the goal.

• Manage the information security appropriately to prevent security accident from happening.
• If an information security accident occurs, to minimize the damage, restore quickly and prevent a recurrence.
• Make sure that all employees recognize responsibility and procedures for the information security and are well-trained.

4. Scope of application

All information assets that are managed by the Company shall be the scope of application. In addition, the eligible persons are all those who handle the information assets. As for the telework staff and outsourcing contractors, after entering the contract, this basic policy shall be applied.

5. Information security organization

The “Design Management Team” manages risks comprehensively and the “Information Security Committee” that practices and decision-making approval authority on information security shall be set up. The Group shall appoint a Chief Information Security Officer (CISO), as the person responsible for information security management.

6. Duty of the CISO

The CISO shall supervise the “Information Security Committee”, and the “Design Management Team” as an organization that controls directly for crossing over the Group. In order to manage risks comprehensively, the CISO shall participate in the meeting body that makes decisions as needed. We shall conduct continuous improvement of establishing information security management system, implementation and maintenance.

7. Implementation and selection of management measures of identification and risk assessment of assets

The CISO and information security committee members shall specify the assets the Group handles and the management representatives. And the CISO shall conduct the risk assessment for the specified assets and select the reasonable and appropriate management measures in order to protect them. Furthermore, response of assets that accompanies incidents shall become the agenda of the decision making organization.

8. Compliance with laws and regulations

The Group shall comply with all relevant Personal Information Protection Law and Specific personal information protection law including laws like Copyright Act, Unauthorized Computer Access Law that are related to information security and a guideline of the industry, company regulation, security obligations on the contract with the customers in good faith.

9. Obligations of the employee

All employees of the company shall observe information security policy and standard about ISMS and a procedure manual. Disciplinary measure shall be applied in accordance with the standards for penalties when a violation occurs.

10. Education

Under the direction of the CISO, the Group shall provide education required continuously in order to thoroughly familiarize all employees, loaned staff, and staff of outsourcing contractors with the contents of this policy and maintain information security.

11. Business continuity management

The Group shall ensure the business continuity of the Group by introducing a business continuity plan to secure continuity of the business and to minimize the interruption of business due to security accidents.

12. Continuous Improvement

The Group shall conduct internal and external audits regularly to evaluate the rationality of information security measures objectively, and shall strive to continually improve by reviewing at the time of need.